Do you know about data breaches? If you think no, then think again — have you heard about the data scandal of Cambridge Analytica and Facebook?
Contributed by: Asim Rahal
If yes, you very well know about data breaches. It’s a loss or theft of data — corporate or users’ personal data — from an organization using malicious methods.
The ever-growing list of companies who faced data breaches in the past includes big names like eBay, Macy’s, Reddit, Twitter, etc. What’s the aftermath? These institutions lose people’s trust and their market value and face legal penalties as well. For example, a monetary sanction is usually levied under GDPR.
So, the question arises: how to prevent data breaches? There is no hard and fast rule for protecting data from malicious people, but there is a practice called Data Security. It helps organizations protect their and their users’ data from various types of attacks. However, it’s still very common to hear about a breach.
If companies are aware of data security, why do data breaches still happen? First of all, it’s almost impossible to fully protect a computer. Then, sometimes, companies don’t understand the importance of data security. So, they don’t put their best efforts at data security, and a data breach is usually the result.
That’s why this post discusses the worst data breaches of this century to help you — as a company owner or a security professional — understand the effects of a data breach. Thus, the importance of data security. Let’s get started.
5 Worst Data Breaches of 21st Century
Yahoo — the once popular giant — announced in September 2016 that 3+ billion user accounts were stolen during 2013-2014, making it the biggest known data breach in history. The data included names, email addresses, phone numbers, security questions, dates of birth, and encrypted passwords of its users.
As a result, its share price tanked by 5% in a day. Also, it caused a loss of $350 million during its acquisition by Verizon. Yahoo was criticized for its late disclosure of the breaches and faced several lawsuits and an investigation by the United States Congress. Last but not least, users lost their trust in Yahoo.
Marriott International [2014-2018]
Marriott International — the popular hospitality group — faced a massive data breach affecting up to 500 million guests. Hackers extracted people’s personal data as well as loyalty program, payment, and reservation information. That’s not all, encrypted credit card data of 100 million customers was also stolen.
The first breach originated in 2014 at Starwood, which was acquired by Marriott International in 2016. It was uncovered after four years in September 2018, when a security tool alerted about an unauthorized data access. Consequently, the company faced a class-action suit, and its shares also fell around 5.6%.
Adult Friend Finder 
The FriendFinder Network that includes Adult Friend Finder and adult content websites like Penthouse.com and Stripshow.com was hacked in October 2016. The hack exposed data of 412 million accounts including names and email addresses, comprising 20 years of data stored on six different systems.
What was their worst mistake? The passwords were stored in SHA-1 — a weak hashing function, allowing hackers to crack most of the passwords. Then, they kept the data of 15 million deleted accounts for no reason. The network faced a class action lawsuit and was questioned for its security practices too.
At eBay, intruders accessed data using three corporate employees’ credentials for several months until May 2014. They accessed personal data including names, addresses, and encrypted passwords of 145 million users. The method used for compromising keys was unannounced but could be malware or phishing.
The company took the breach seriously and advised all its customers to change their credentials. However, eBay was condemned for poor communication and bad implementation of the password-renewal form. The breach resulted in a decline in user activity, and eBay faced a class-action lawsuit as well.
The data breach at Equifax — one of the largest credit bureaus — in July 2017 affected more than 147 million consumers. The hackers gained access to crucial data including Social Security Numbers, driver’s license numbers, addresses, etc. Also, it exposed the credit card data of 200+ thousand people as well.
How did it happen? The attackers managed to enter the company’s systems through a web application’s vulnerability in mid-May. Fortunately, it didn’t find any evidence of unauthorized activity on its core credit reporting databases. As a devastating result, its share price tanked by 18% in the span of a few days.
So, Why is Data Security Important?
Data Security is crucial for any organization as it can make or break a company’s business as well as its reputation. However, Data Security has become a tedious task since cyber criminals come up with numerous methods to break into the corporate systems, resulting in the loss or theft of sensitive information.
So, what kind of sensitive information gets lost or stolen? A data breach can expose a lot of information, of which, the most sensitive information includes a company’s financial or payment information, its Intellectual Property (IP), and its users’ financial, medical, or personal information. Of course, it’s not all.
Then, what are the common methods or reasons which lead to a data breach? The most common reasons leading to a cyber attack are weak passwords, human errors, malware and trojans, outdated software, etc. Also, there are application vulnerabilities, unsecured endpoints, and poor security systems as well.
That said, the question arises: how a data breach can be prevented? The best method for securing data is by using a combination of hardware and software technologies. For example, antivirus, anti-malware, encryption tools, firewalls, software patches, two-factor authentication tools, system updates, etc.
However, it’s not easy to configure and monitor all these security methods and tools. That’s why you must look for a data security solution on that identifies data breaches and security threats, monitors data leakage and unauthorized access, employs limited access, and prohibits unsecured devices and endpoints.
Another method commonly used to prevent data breaches, is penetration testing. A process in which “ethical hackers” (in service of cybersecurity companies) probe the client’s web assets in attempt to locate “points of failure” which could be used in an attack. Once pinpointed, these breaches can be sealed, preventing an attack and “proofing” client digital assets.
Imperva’s data security solution is one example of a “360” product, which packs the best protective features for securing the data in your organization. It identifies sensitive data, searches for database vulnerabilities, monitors data activities, checks for risky or malicious users, masks sensitive data, and neutralizes ransomware as well.
It also offers FlexProtect Plans that feature various security systems in flexible packages for protecting your applications, data, or applications and data. They include many tools like Data Security Gateways, IP Reputation Intelligence, User Rights Management, Web Application Firewall, etc.
What is your opinion on data security? Do you think your organization is doing enough to protect its crucial data? Write a comment below to share feedback.
Asim Rahal is a Detroit-based independent service provider specializing in IT and cybersecurity. You can reach him on Twitter at https://twitter.com/AsimRahal
CISO MAG does not evaluate the advertised product, service, or company, nor any of the claims made by the advertisement. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.